HIPAA-first
Architected for HIPAA from day one. A signed Business Associate Agreement (BAA) is in place with AWS, and we sign a BAA with every customer before any PHI is loaded.
Encryption everywhere
AES-256 encryption at rest and TLS 1.3 in transit. PHI is never stored or transmitted in the clear.
Access control
Mandatory multi-factor authentication (MFA) for admin roles, role-based access control (RBAC), and 20-minute idle session timeouts.
7-year audit log
Every access and change is recorded and retained for 7 years, meeting CMS and state documentation-retention requirements.
Isolated infrastructure
Private AWS RDS, multi-tenant isolation, and 35-day automated backups with point-in-time recovery.
SOC 2 Type II
Independent SOC 2 Type II audit is in progress; the report will be available in Q3 2026. We'll share it under NDA on request.
Where we are honest with you
SOC 2 Type II is in audit, not yet certified — we won't display a badge we haven't earned. We're an early-stage vendor and we'd rather you know exactly where we stand than be surprised in procurement. What we can show you today: the signed AWS BAA, our encryption and access-control configuration, the audit-log design, and a reference call with a live agency.
Ask our team a security question →Want the full security packet?
We'll walk your compliance officer through the BAA, data-flow diagram, and audit-log design on a 25-minute call.
Book my 25-min demo